Share this post

Link to post

Share on other sites

Guest Tempus

Guest Tempus

Thank you for the heads up, will give the new beta version another spin . There is something that i find a little odd .How can it be that the notification about the release of a public beta update, is announced on Wilders before it is announced here . Most often I most go to Wilders security forum first. That is for me not logical. I use some on my spare time (like others) to beta test, ...to help out.., with what we can. . And personally I don't what to surf around on other forums, to seek out for information that should easily be found in this thread, as a e.g. sticky note. Well that was my grumble, hope it is still somewhat constructive.

Share this post

Link to post

Share on other sites

I just took the plunge and installed EIS 9 Beta. At first it went well until I tried to import my config for EAM and then the gui changed from EIS to EAM! So I uninstalled and did a clean install again. See images below.

Would it be possible to have a way to copy a created rule from another application? It's a bit time consuming to do rules creation from scratch and there are similar rules that I use for, say, media players and image editors...is that possible?

I seem to see that every update I have a pop-up that I have to restart. Is that normal? Have seen it around 3x now and I did restart after the two updates(so I restarted 2x now).

Share this post

Link to post

Share on other sites

Guest Tempus

Guest Tempus

I have just done a quick test of " Fixed auto-update execution if update was missed due to game mode". After almost two hours on gamemode it auto updated perfectly. Thanks for adding this feature, I am am very very pleased . Have EIS on windows 7 and Eam on windows 8.1. Both 64 bit platforms. And so far I have not see any strange behaviour, regarding what have been fixed. I know some who have had, or still has issue regarding Windows security center. But I haven't met any issue in that regard, yet... (Btw. I know it is a little bit of topic, but I really like that you/Emsisoft keep focusing on improving Emsisoft core protection, modules and is not falling for the temptation to add toolbars - registry cleaners or any of that kind of snake oil. )

Share this post

Link to post

Share on other sites

I was fiddling with the rules creation earlier and there where pop-ups that EIS threw. When I checked the logs and double-clicked an item I could not get any details of any log there.

Along the process of launching programs (after rules creation) I needed to review/check what I may did wrong or what needs to be corrected. As I see it all the logs you cannot review or see details or additional info except that in the Firewall logs which have a "App rule added".

Firewall logs with "App rule added".

Can there be some kind of way to see the details of all the logs?

Also I happened to a pop-up when I wanted to launch PuranDefrag. It says that PuranDefragGUI is "attemting to manipulate other processes". I do not know what "processes" they are?

Is it possible for the EIS pop-up to state/list what "process" or "processes" the program is trying to manipulate?

Also along the line of the pop-ups, I seem to remember that in OA Premium when a pop-up is thrown and you answer it, say, "Block" the application rules is updated to include the answer you gave to that pop-up or something like that. That is true with the pop-up I got when I tried to click "View Website" in PuranDefrag. But the target application is the one identified in the pop-up. There is no hint of PuranDefrag trying to launch Firefox....

"The program firefox.exe wants to connect to a computer on port 10xx"...So the connection to a computer(URL) via the port 10xx will be blocked and not firefox.exe...? Correct..? So application(firefox.exe) launch will be allowed?

I see that when I repeat to click "View Website" there is still the pop-up with another port number. PuranDefrag triggers firefox.exe for a connection and continues to search for every port available(1031, 1053, 1059, 1061, 1087 and counting). Isn't it more simpler to block the "trigger" or PuranDefrag to start another application? Can that be done with EISv9..?

Share this post

Link to post

Share on other sites

I just took the plunge and installed EIS 9 Beta. At first it went well until I tried to import my config for EAM and then the gui changed from EIS to EAM! So I uninstalled and did a clean install again. See images below.

I think that happened because the license information in a2settings.ini was for Emsisoft Anti-Malware. Had you imported everything except the settings, you probably wouldn't have seen that.

I'll let our QA manager know about this so that he can look into it further.

Share this post

Link to post

Share on other sites

It is unlikely to happen. For the firewall we could create rather exhaustive logs, but most people aren't interested in those details. So we don't. For the behavior blocker logs it's more of a technical limitation as the component doesn't provide much details to the GUI to begin with except which process caused it. This is unlikely to change as well, since unlike HIPS it is rarely just one thing that sets the behavior blocker off that could be logged conveniently. It usually is a combination of actions that triggers an alert.

Is it possible for the EIS pop-up to state/list what "process" or "processes" the program is trying to manipulate?

Not at the moment, no.

"The program firefox.exe wants to connect to a computer on port 10xx"...So the connection to a computer(URL) via the port 10xx will be blocked and not firefox.exe...? Correct..? So application(firefox.exe) launch will be allowed?

Correct.

I see that when I repeat to click "View Website" there is still the pop-up with another port number. PuranDefrag triggers firefox.exe for a connection and continues to search for every port available(1031, 1053, 1059, 1061, 1087 and counting). Isn't it more simpler to block the "trigger" or PuranDefrag to start another application? Can that be done with EISv9..?

You could block Firefox from running, but not Firefox when started by PuranDefrag. The later is more of a HIPS feature, which we consciously decided not to implement due to the shear amount of complexity it adds for normal home users which EIS is targetting. If you want more control, I suggest staying with Online Armor.

Share this post

Link to post

Share on other sites

It is unlikely to happen. For the firewall we could create rather exhaustive logs, but most people aren't interested in those details. So we don't. For the behavior blocker logs it's more of a technical limitation as the component doesn't provide much details to the GUI to begin with except which process caused it. This is unlikely to change as well, since unlike HIPS it is rarely just one thing that sets the behavior blocker off that could be logged conveniently. It usually is a combination of actions that triggers an alert.

Not at the moment, no.

Correct.

You could block Firefox from running, but not Firefox when started by PuranDefrag. The later is more of a HIPS feature, which we consciously decided not to implement due to the shear amount of complexity it adds for normal home users which EIS is targetting. If you want more control, I suggest staying with Online Armor.

As to the logs, there will be no way of actually checking what I may did wrong in rule setting...It will just stay there and not assist the user. So in order to correct or check what I may have done wrong I'd have to delete the rule and do it all over again. After that check it again and see what is the result, if not to my liking, I'd have to delete it again and do it all over again. This is what happened to me when EISv9 was blocking the launch of Minitool Partition Wizard. I thin think that is exhausting to the user and might just instead "allow all".....

You could block Firefox from running, but not Firefox when started by PuranDefrag. The later is more of a HIPS feature, which we consciously decided not to implement due to the shear amount of complexity it adds for normal home users which EIS is targetting. If you want more control, I suggest staying with Online Armor.

So in EISv9 we cannot set BB to block or restrict an application from being triggered to run by a program even if you do not place it as trusted. EISv9 BB will throw a pop-up on the "triggered application" (which in this case, firefox.exe.) From there you will make an app rule for firefox.exe based on the interception that it (firefox.exe)wants to connect to a computer via port 10xx.

Firefox.exe's "behavior to connect to" is being intercepted/classified as a negative behavior by EISv9's BB and not PuranDefrag's stealth-trigger behavior...

But what happens when another application (say, a trusted application) wants to access the blocked ports? Will I get a pop-up or the port will be blocked/restricted from use in firefox.exe. If EISv9 BB intercepts/blocks the triggered application instead the guilty program's behavior is free to behave as it wants and start/launching whatever it wants.

I went online and there is a new pop-up again about firefox wanting to connect to a computer via port 10xx. I selected "Blocked all connections" and as a result no connections can be established using firefox.exe.

I deleted the "Autorule" that was created from the "Blocked all connections" and started again this time selecting "Block connection" only. Connection was still established. See image below.

Booting to a partition with Emsisoft IS (EAM_OA Premium), OA Premium HIPS blocks access to the triggered application firefox.exe and prevents it from launching altogether. Thus any connection from the triggered application get's blocked altogether. You can still use firefox.exe. It just blocks firefox.exe launch from Puran. But this is as you say a HIPS feature.

Another question comes to my mind which is to block a program from placing an autorun item in,

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Encountered one program like this, Glary Utilities 5>StartupManager.exe. When you exit the StartUp Manager it places an autorun there so when you restart your pc "GUDelayStartUP" will appear as a startup. Can we block that in EISv9 BB? If so how?

In contrast with OA Premium HIPS I have created a registry block rule for any program that will place an autorun there. The images where done on the same partition I am now using with EISv9. See image below.

Share this post

Link to post

Share on other sites

Encountered one program like this, Glary Utilities 5>StartupManager.exe. When you exit the StartUp Manager it places an autorun there so when you restart your pc "GUDelayStartUP" will appear as a startup. Can we block that in EISv9 BB? If so how?

The behavior blocker does notice the autorun, but given the circumstances it will deduct that the application creating the autorun entry does so in a non-malicious manner and has a good reputation, so it will not interfere with it. As I mentioned before, behavior blockers are not based on a fixed rule set like HIPS are. They take a lot of additional information into consideration like the exact circumstances under which the autorun was created, the reputation of the file, other actions the application performed previous to the autorun creation. and so on. The result is, that EIS will not bother you every single time an application creates an autorun like OA does, but only if the circumstances under which the autorun was created are already suspicious. If you want full control over what is going on on your system and fine tune the rules yourself, OA is the product for you.

Share this post

Link to post

Share on other sites

The behavior blocker does notice the autorun, but given the circumstances it will deduct that the application creating the autorun entry does so in a non-malicious manner and has a good reputation, so it will not interfere with it. As I mentioned before, behavior blockers are not based on a fixed rule set like HIPS are. They take a lot of additional information into consideration like the exact circumstances under which the autorun was created, the reputation of the file, other actions the application performed previous to the autorun creation. and so on. The result is, that EIS will not bother you every single time an application creates an autorun like OA does, but only if the circumstances under which the autorun was created are already suspicious. If you want full control over what is going on on your system and fine tune the rules yourself, OA is the product for you.

Thank you for your explanations Fabian you rock man! This is trying-out / testing really is -- understanding the product so you will get a grasp of it. Do allow me some more questions,

I went online and there is a new pop-up again about firefox wanting to connect to a computer via port 10xx. I selected "Blocked all connections" and as a result no connections can be established using firefox.exe.

all FF connections blocked 052714.png

I deleted the "Autorule that was created from the "Blocked all connections" and started again this time selecting "Block connection" only. Connection was stille established. See image below.

puran block connection but connection still established 052714.png

-- Any comment on the "Block connections" and "Block all connections"....?

Also on the log details, I rather think that is exhausting to the user and might just instead "allow all".....especially that you target "most users" who do not want to be inconvenienced. That is actually what I did. Allowed all and started to click "Allow/Block" in BB until I have landed on to I accepted. It took some time for me. So it may very well be "allow all" and not "Custom"...

Can you try Imageburn.exe with no rules and see how will EISv9 perform...?

I have just installed Imageburn.exe in an old x32 pc with Comodo and I nearly uninstalled it due to the exhausting pop-ups. If not for the logs that I got and checked each item I would have been tempted to place it as Trusted. See "some" of the info I got that nearly led me / tempted me to put Imageburn.exe as Trusted. This is also an exhaustive log (which you guys do not want) which is as you said also a long one, but that is in a way the only thing that will help the user make a correct decision. Just my two cents here....

Will EISv9 throw a pop-up if you have Imageburn.exe installed and the BB is set to "All Allowed"..? (May not throw one...correct?)

If you set "Custom Monitoring" but leave it all unchecked...will BB throw a pop-up when you launch Imageburn.exe? Most of the info quoted above were thrown when I wanted to exit Imageburn.exe. Will EISv9 BB be able to intercept the listed behavior when you exit Imageburn.exe...?

What may be a good setting in EISv9 BB for the given info above..? I am really trying to understand EISv9 so please pardon me for many questions.

Then I applaud your eye sight. If you can provide original size pictures that I can actually read, I will gladly take another look.

Can you try Imageburn.exe with no rules and see how will EISv9 perform...?

Chances are, you won't see anything and EIS/EAM will trust it automatically and allow it to do what ever it wants to do simply because of the reputation of the file as it is a quite popular application amongst our users.

This is also an exhaustive log (which you guys do not want) which is as you said also a long one, but that is in a way the only thing that will help the user make a correct decision. Just my two cents here....

If the user has to make any decision at all you have already lost. That is why we do our best to not bother the user at all and make the correct decisions for him. Bothering the user will always introduce situations where he makes the wrong decision. The log you posted is also a great example why it is useless for average users. For example:

Is the hook that C:\Windows\system32\dwmapi.dll installed legit or not? What is a hook to begin with? What is COM? Is a write access to C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\mshdc.PNF alright? The file name sure looks like a jumbled mess!

There is no point in presenting such a log in a home user product. Sure, if you know what all this means, it may be useful. But in that case, you may want more control over everything going on on your system anyways and you are better off with a complete HIPS.

Will EISv9 throw a pop-up if you have Imageburn.exe installed and the BB is set to "All Allowed"..? (May not throw one...correct?)

It won't, since everything is allowed. That is likely the default category EIS will put ImageBurn in as well due to file's reputation (lots of our users use the application, almost all of them allowed it, over a long period of time no suspicious activity was observed).

If you set "Custom Monitoring" but leave it all unchecked...will BB throw a pop-up when you launch Imageburn.exe?

No. It will only throw a popup if it observes behavior belonging to one of the categories that is neither allowed nor blocked (or "unchecked" as you put it). There are no alerts for just running a process.

What may be a good setting in EISv9 BB for the given info above..?

Go with the default settings. They are default for a reason. Because they are the best settings for most users.

Then I applaud your eye sight. If you can provide original size pictures that I can actually read, I will gladly take another look.

-- So sorry for it. There was no intention to hide it. Here it is in full.

Chances are, you won't see anything and EIS/EAM will trust it automatically and allow it to do what ever it wants to do simply because of the reputation of the file as it is a quite popular application amongst our users.

-- OK.

---

If the user has to make any decision at all you have already lost. That is why we do our best to not bother the user at all and make the correct decisions for him. Bothering the user will always introduce situations where he makes the wrong decision. The log you posted is also a great example why it is useless for average users. For example:

Is the hook that C:\Windows\system32\dwmapi.dll installed legit or not? What is a hook to begin with? What is COM? Is a write access to C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\mshdc.PNF alright? The file name sure looks like a jumbled mess!

There is no point in presenting such a log in a home user product. Sure, if you know what all this means, it may be useful. But in that case, you may want more control over everything going on on your system anyways and you are better off with a complete HIPS.

-- I think that is the best explanation I've heard.

and this one too. (below)

....but given the circumstances it will deduct that the application creating the autorun entry does so in a non-malicious manner and has a good reputation, so it will not interfere with it. As I mentioned before, behavior blockers are not based on a fixed rule set like HIPS are. They take a lot of additional information into consideration like the exact circumstances under which the autorun was created, the reputation of the file, other actions the application performed previous to the autorun creation. and so on. The result is, that EIS will not bother you every single time an application creates an autorun...

It does have it's pro's and con's depending on the user. Trying it out is best and learning it another mattter. Learning/understanding it is best especially when you intend to use the product for the family pc. Having a food grasp of EISv9 is crucial to me as I am now distancing the mentality from being a long user of OA Premium firewall to the new Emsisoft firewall.

No. It will only throw a popup if it observes behavior belonging to one of the categories that is neither allowed nor blocked (or "unchecked" as you put it). There are no alerts for just running a process.

-- OK.

Go with the default settings. They are default for a reason. Because they are the best settings for most users.

-- Will try that out and re-try from scratch. Thanks for all the explanation and understan ding.

Share this post

Link to post

Share on other sites

Some days ago i've installed EIS 9.0 beta... today i've uninstalled EIS 9.0 beta and installed EAM 9.0 beta just to try, now i can't use EAM because this message (when i click on free trial) "The free trial of this product has already been used. Would you like to switch to a scanner-only freeware mode now?"

Share this post

Link to post

Share on other sites

Some days ago i've installed EIS 9.0 beta... today i've uninstalled EIS 9.0 beta and installed EAM 9.0 beta just to try, now i can't use EAM because this message (when i click on free trial) "The free trial of this product has already been used. Would you like to switch to a scanner-only freeware mode now?"

How should i proceed?

I've sent you a private message with a license key to use for a free trial.

Share this post

Link to post

Share on other sites

Guest Tempus

Guest Tempus

Would it, or will it be possible to do the Emsisoft main interface smaller ? Because i personally find it a bit bulky at current size. As it's now, you're only able to resize from the default size to a bigger main interface. (my resolution is 1600 X 900...I really liked the size version 8 has)

Appendix : Btw no issue found regarding Windows control center, when I did a beta update on both systems, in Windows 7 or 8.1

Share this post

Link to post

Share on other sites

Guest Janus

Guest Janus

Would it, or will it be possible to do the Emsisoft main interface smaller ? Because i personally find it a bit bulky at current size. As it's now, you're only able to resize from the default size to a bigger main interface. (my resolution is 1600 X 900...I really liked the size version 8 has)

Appendix : Btw no issue found regarding Windows control center, when I did a beta update on both systems, in Windows 7 or 8.1

Share this post

Link to post

Share on other sites

Guest Tempus

Guest Tempus

Just curious, how will the new version 9 be released? Will it be pushed out as a update to all at once? Or will we see a release strategy, were only some european countries, e.g. Germany, will receive the new version, for then after a while to be released to everyone.

Share this post

Link to post

Share on other sites

We intend to provide EAM v9 via update (beta updates only at start) to version 8 users. Once there are no more serious issues found, all non-beta users will get it via update too. Our download servers are able to handle all customers at once, so there is no need to separate by country or similar.

Share this post

Link to post

Share on other sites

Guest Tempus

Guest Tempus

Thanks Christian Mairoll....but I hope that Emsisoft one day will reach to a point where the download servers can't handle all the customers at once , ( i hope you know what I mean, because long distance communication can be hard sometimes )

Share this post

Link to post

Share on other sites

I am happy with the current isolation of OA and EAM because I found OA to hinder my daily workflow since its behavioral blocker is very very aggressive. I got tired of whitelisting stuff left and right.

now choosing to convert my EAM License + OA License to an EIS license sounds a bit dangerous to me because if for some reason I face the same false positive or annoying behavioral blocker issues from EIS, then I am forced to use both.

Can Emsisoft do what ESET does? in the sense, if you have an ESET Smart Security license, you can use that same product key to activate NOD32 Antivirus only should you wish to choose so. it makes sense since ESET Smart Security is the internet security suite and is the more expensive product so it allows you to install a product which has less features. I really think this is a good solution since OA and EAM will be merged into EIS